-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
148 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,43 @@ | ||
# Rustica Agent | ||
# RusticaAgent | ||
|
||
Rustica Agent the agent portion of the Rustica SSHCA. It is designed to be an SSH-Agent that uses keys loaded on a Yubikey though also supports a file, generally for requesting host certs which are not stored on Yubikeys. See command help for more complete documentation on use. | ||
## Introduction | ||
This is the agent portion of the project and manages keys as well as talking to Rustica and remote SSH hosts. It supports using a Yubikey for hardware backed SSH keys as well as adding external key files after the agent has started. | ||
|
||
Rustica-Agent does not support the normal array of SSH-Agent calls, instead only supporting `Identities` and `Sign`. The reason for this is the call for identities initiates a request to a Rustica SSHCA server. Rustica is then expected to return a cert that contains all permissions your key is allowed, including all principals, and hosts. This SSH certificate is generated containing the public portion of the key present on your Yubikey (which may contain up to 24 keys, the key used is chosen at agent start either by command line flag or configuration file). | ||
## Limitations | ||
RusticaAgent does not support the normal array of SSH-Agent calls, the currently supported calls are: | ||
|
||
It is possible to generate keys that require touch (and Rustica Agent allows you to create such keys) though SSH in unaware this is happening so you must notice your key is blinking and act accordingly. Pin is not supported. | ||
- `Identities` - Called when connecting to a host or running `ssh-add -L` | ||
- `Sign` - Called when connecting to a host and a public key has been accepted. | ||
- `AddIdentity` - Called when running `ssh-add <path>` | ||
|
||
## Usage | ||
When using RusticaAgent it is preferable to provide a configuration file that contains all the parameters needed for normal operation. Any configuration file setting may be override by also providing it on the command line. RusticaAgent also only presents a single Yubikey backed key to the remote server but will present any other keys added with the `AddIdentity` call (keys added with `ssh-add`). | ||
|
||
An example configuration file can be found at `../examples/rustica_agent_local.toml`. This file is compatible with a Rustica instance running `../examples/rustica_local_file.toml`. | ||
|
||
## Examples | ||
### Daemon Mode | ||
`rustica-agent --config ../examples/rustica_agent_local.toml --slot R1 --socket /tmp/rustica_agent_tmp_socket` | ||
|
||
> Note: RusticaAgent does not currently fork and background itself because it causes issues accessing USB devices on macOS. | ||
This command: | ||
- Loads all the settings from the config file (server, mTLS, TLS, etc) | ||
- Overrides the key to use with the key in Yubikey slot R1 | ||
- Overrides the socket path to be used | ||
- Starts listening for requests on that unix socket | ||
|
||
### Immiediate Mode | ||
`rustica-agent --config ../examples/rustica_agent_local.toml -i` | ||
|
||
Fetches a certificate from the backend, pretty prints it to stdout, and quits. This is useful for double checking what permissions the server has granted you for a key. | ||
|
||
### Immiediate Save Mode | ||
`rustica-agent --config ../examples/rustica_agent_local.toml -i -o fetched-cert.pub` | ||
|
||
This is exactly the same as above but outputs a valid SSH certificate for the provided key. This is useful for file based keys, particularly for refreshing server certificates. | ||
|
||
### Provision Mode | ||
`rustica-agent --config ../examples/rustica_agent_local.toml --slot R1 provision -r --subject ExampleKey` | ||
|
||
This creates a new key pair in the given slot. The -r flag means that touch will be needed for every usage and the subject flag adds the given string to the CN of the generated x509 self signed certificate. Once this is complete, it will generated the attestation chain using the `F9` slot and attempt to register the key with the Rustica server. The backend will use the attestation chain to verify the key was generated on a hardware device and then permissions may be assigned to it. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,65 @@ | ||
# Rustica | ||
|
||
The server portion of the Rustica project. It is designed to be used with rustica-agent for certificate handling but speaks generic gRPC so other integrations are possible. Rustica requires at least 1 + N standard (not HSM) Yubikey 4/5s: one for the server, and one for every client (though rustica-agent is capable of using a key file instead). You may also wish to generate keys directly on yubikeys (see the provision command in rustica-agent) so they never exist off the key. | ||
The server portion of the Rustica project. | ||
|
||
## Building | ||
Depending on your needs, Rustica can be built with several different features to enable different use cases. To build them all (generally for testing), run: | ||
`cargo build --features=all`. Below is summary of all the optional features, what they do, and how to configure them. | ||
|
||
## amazon-kms | ||
This compiles in support to use AmazonKMS as the backend for signing. This requires defining two key identifiers as well as AWS credentials that can access them. These keys must be asymettric, with the Sign/Verify capabilities. Encrypt/Decrypt will not work. | ||
|
||
### Example Configuration | ||
```toml | ||
[signing."amazonkms"] | ||
aws_access_key_id = "XXXXXXXXXXXXXXXXXXXX" | ||
aws_secret_access_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | ||
aws_region = "us-west-2" | ||
user_key_id = "mrk-00000000000000000000000000000000" | ||
user_key_signing_algorithm = "ECDSA_SHA_384" | ||
host_key_id = "mrk-00000000000000000000000000000000" | ||
host_key_signing_algorithm = "ECDSA_SHA_384" | ||
``` | ||
|
||
### yubikey-support | ||
This compiles in support to use a connected Yubikey 4/5 as the backend for signing. This requires defining two slot identifiers in the form of R followed by a number from 1 to 20 inclusive. For example R1, R9, R12, R20. These keys must be ECDSA 256/384. RSA keys are not supported at this time. | ||
|
||
### Example Configuration | ||
```toml | ||
[signing."yubikey"] | ||
user_slot = "R2" | ||
host_slot = "R3" | ||
``` | ||
|
||
## influx | ||
Compiles in support to log to an InfluxDB backend. See the example configurations for more details on how to set this up. | ||
|
||
### Example Configuration | ||
```toml | ||
[logging."influx"] | ||
address = "http://some-local-influx-instance:8080" | ||
database = "rustica" | ||
dataset = "rustica_logs" | ||
user = "influx_user" | ||
password = "influx_password" | ||
``` | ||
|
||
## splunk | ||
Compiles in support to log to an Splunk backend. See the example configurations for more details on how to set this up. | ||
|
||
### Example Configuration | ||
```toml | ||
[logging."splunk"] | ||
token = "c46d7213-19ea-4a66-b83b-e4b06188d197" | ||
url = "https://http-inputs-examplecompany.splunkcloud.com/services/collector" | ||
timeout = 5 | ||
``` | ||
|
||
## local-db | ||
Compiles in support for Rustica to handle authorization without talking to an external service. This requires a local SQLite database with all configured permissions and grants. See `rustica/migrations/2021-01-14-051956_hosts/up.sql` for a detailed explanation of how to configure this database. | ||
|
||
### Example Configuration | ||
```toml | ||
[authorization."database"] | ||
path = "examples/example.db" | ||
``` |